WEP And PPTP Password Crackers Released

Jacco de Leeuw writes "SecurityFocus published an article by Michael Ossmann that discusses the new generation of WEP cracking tools for 802.11 wireless networks. These are much faster as they perform passive statistical analysis. In many cases, a WEP key can be determined in minutes or even seconds. For those who have switched to PPTP for securing their wireless nets: Joshua Wright released a new version of his Cisco LEAP cracker called Asleap which can now also recover weak PPTP passwords. Both LEAP and PPTP employ MS-CHAPv2 authentication." Update: 12/22 00:14 GMT by T : Michael Ossmann wrote to point out his last name has two Ns, rather than one.

aircrack - Korek based attack

After capturing packets in kismet for 3 days (1.2million crypt packets), I successfully ran aircrack on the resultant .dump files. The WEP cracked almost as soon as the dump files had been parsed.

However, the essid remained hidden. How does one use the WEP key without an ssid?

Re:Feasibility of dictionary attacks no protocol f

[amorsen]

If you have automatic server authentication (which is often fairly easy to do with certificates or simply stored keys a la ssh) then you can avoid man-in-the-middle.

We've known WEP was broken for a long time

This article shows that the time needed to break WEP is smaller than previously demonstrated, not that WEP is any less safe than before. Really, we've known WEP was no good for a _long_ time. The reasons are well known. Both WPA and the recently ratified 802.11i RSN provide good solid fixes to link layer wireless security.

So, this isn't really "new" news, although it should reinforce the message that WEP is worse than useless.

Securing wireless connections

[da.phreak]

I did not trust WEP even before this tools were released. I read a bit about securing the connection independent of the wireless equipment. Treating the wireless connection like a public network, I set up a Virtual Private Network (VPN). I'd like to share my experiences:

First I tried to setup IPSec. It was a nightmare. Although I know a lot about computers and networks I did not manage to setup IPSec. It's configuration is so complicated, I have no clue. Although, it must be possible to get IPSec running, maybe it's just me who is too stupid :). IPSec would have been the most secure solution, but despite public belief it's not that secure:

http://www.schneier.com/paper-ipsec.html

Then I tried Cipe. It was very easy to get it running, but it's horribly insecure. Peter Gutmann wrote a nice article, which was in the news on slashdot some time ago:

http://lists.virus.org/cryptography-0309/msg00257. html

In that article I read about tinc, which I now use. It's almost as easy to setup as cipe, but more secure (although not perfect and not as good as IPSec). Here is the answer of the developers of tinc to Peter Gutmann's article:

http://www.tinc-vpn.org/security

So, maybe if you believe them it's not that bad, I'm not sure about this.

I think one great advantage of the VPN-solutions is that AFAIK there are no tools available that make cracking them as easy as cracking WEP. So the "common War Driver" or Script Kiddie has no clue what to do, you'd need some kind of expert to crack your connection. And, if such an expert is trying to break your security, you maybe have a bigger problem anyway.

I just wanted to have an acceptable level of security and lock War Drivers out.

Re:Securing wireless connections

IPsec is actually quite secure when used properly. The main complaint of security experts like Schneier is that IPsec is too complex for most people to set up at all, let alone set up securely. Apparently you yourself fell victim to this complexity.

A working IPsec wireless gateway setup is described at WAVEsec.

The best lightweight VPN suite available in the free software world is probably OpenVPN. It uses standard SSL encryption instead of trying to invent its own, and so far no doubt has been cast on its security.

Re:End-to-End Security

[RAMMS+EIN]

MAC address restriction is an especially weak form of protection on wireless networks. Contrary to wired networks, where the switch may only send data over the wire connecting to the right card, a wireless AP must broadcast the data to everyone in hearing range. This means that you only have to assume one of the MAC addresses that are allowed to connect to the AP, and you're on the network.

Re:Old news

[DarkMantle]

The problem isn't about someone using another persons access point. The problem is what they use it to access. They are usually used to access things that the war driver doesn't want tracked to his home. So the problem isn't all the pr0n theve' been downloading, it's the age of the people in the pr0n. This then gets traced back to the IP address your router had at that date/time, and then you're charged for it.

Re:Old news

[LiquidCoooled]

Whats wrong with it is your not an ISP, and your not protected by the same rules, regulations and laws as them.

So if someone did illegal things through your connection, YOU will still be responsible.

Re:End-to-End Security

[Umrick]

What I'm looking at implementing (20 wireless tablet pcs used by physicians and their techs) is something more like this:

Bare open wireless with a dedicated DHCP/OpenVPN server. Server configured to only allow connections to/from known MAC addresses. Use OpenVPN (128 bit certificate keyed AES) to connect to the internal network.

Potentially an attacker could compromise one of the wireless devices, however the clients could be firewalled to permit only connections to/from the server to limit that exposure.

All clients are already setup with network/printer sharing disabled, so using the software firewall will be an acceptable risk.

Application level would be nice excepting for a few problems. Legacy apps that don't support it, and required services that can't be encrypted (printing/shared drives) without using a fairly brittle IPSEC solution. OpenVPN is a better solution. You end up with strong encryption, better key management, high resiliance (udp tunnelling, not tcp) to loss, higher throughput (lzo compression), and transparent protection.

Correction to submission

[paranode]

Just to clarify, it can crack the code in minutes or even seconds after you've already captured at least about a quarter of a million encrypted packets, maybe more. That will take longer than just a few minutes or seconds, most likely.

Re:Correction to submission

[mossmann]

By using reinjection techniques such as aireplay (part of the aircrack distribution), the time to collect a quarter of a million packets can be as little as a few minutes. I'll be discussing this in part two of the article.

This tool does

[anti-NAT]

I haven't looked at it for a while, I provided a few suggestions a while back. I thought it was a good idea. For non-authorised subnets, it sends bogus ARP replies, with bogus MAC addresses.

ipsentinel

Re:End-to-End Security

[JJahn]

Although it may seem that the switch will only send data to the computer that is connected to it, that is easily subverted by ARP poisoning. Don't feel safe from traffic sniffing just because you use a switch.

Re:End-to-End Security

[Geoff-with-a-G]

Encrypting the wireless link layer doesn't mean avoiding upper-layer security protocols like SSL or PGP, they solve two entirely different problems. You can still use SSL and PGP on top of your WEP/WPA layer.

Even if WEP was perfect, it wouldn't protect your traffic on the distribution system that your access-point connects to. The hubs, switches, and routers that your traffic flows through on the way to its destination are still carrying your traffic unencrypted, and it is subject to interception at those points. That's where upper-layer encryption comes in handy.

But those protocols still require secure connection or handshaking procedures between endpoints for all conversations. If you're on some corporate LAN where users are expected to be able to share their files via SMB, or IM each other, you don't require SSL and PGP authentication for every single network transaction. But that doesn't mean you want outsiders to be able to listen in on all your traffic by pointing an antenna at the building. The link between your workstation and the access-point is a wide-open vulnerability, and it's important that the hole be closed. WEP was an important attempt to close that hole, but a massively flawed one. The solution is to fix those flaws, not to require layer 7 authentication for all network traffic.

Re:IPsec is great

[loyukfai]

Win 2K/XP has IPSec support built-in, but it was a nightmare to configure (I persume it will be easier if you use L2TP/IPSec...?).

But you can use the following utility, it's not as polished as those $80 clients but it does the job, it's basically a front-end to configure the IPSec for you based on a simpler config file:

http://vpn.ebootis.de/

OpenVPN

[halfelven]

By far the best way to accomplish that is by using OpenVPN.
I tried everything, IPSec, SSH tunneling, you name it. They all suck. SSH is, let's face it, limited. IPSec is cumbersome, not exactly friendly to all operating systems, doesn't play well with NAT (unless you use UDP encapsulation), etc. It is glaringly obvious that it's a severely overdesigned protocol.

Enter OpenVPN. It uses SSL for encryption, but it's not a SSL-based pseudo-VPN, but a true VPN - it can forward any IP protocol. Think of it as having the functionality of IPSec, but using a simpler and more sensible implementation.
It's cross-platform (Linux, Windows, Solaris... you name it). It's simple to install and configure (same software can be either server or client and the config file semantics are similar). It's secure (it can use signed certificates, passwords, any authentication mechanism you like). It can compress the traffic on the fly (using LZO which is pretty damn fast and low-overhead). If you use TCP transport instead of UDP, it can tunnel through ordinary HTTP proxies. It has dummy-friendly GUI for Windows. It slices, it dices and it makes coffee... oh, well, maybe not that.

Anyway, i'm running an OpenVPN server on my home firewall, and i put OpenVPN on all my computers (my workstation at the office, my laptop, etc.). Wherever i go, i just fire up OpenVPN and "i'm home".
I run IMAP through it, so my IMAP clients (Evolution), no matter where they are, they "see" the same IMAP servers and folders. That is awesome - different systems, yet my mail looks the same. And it's also secure. ;-)

My wireless access point has no security whatsoever: no encryption, no MAC filtering, no SSID cloaking... it even gives you a DHCP address. :-) However, it's behind a totally restrictive firewall. The only way to work around that is to open an OpenVPN tunnel. Then you can do pretty much anything, through the tunnel, of course.

It rocks!

Re:Is PPTP considered safe?

[halfelven]

According to this very article we're commenting now :-) it's not secure.
Have a look at OpenVPN instead.

Treat it like any other vulnerability

[Sierpinski]

Just like you shouldn't say (or even dial) credit card numbers, bank account numbers, etc. over a cordless phone (My baby monitor has picked up dozens of conversations over the last couple years), users just should probably refrain from doing any big time financial or otherwise confidential "conversing" with a computer and WiFi.

Get an "open" hotspot, check the weather, check the game scores, but maybe you should leave the stock selling and the 401k reorganization until you get home.

Re:Easier for travelers

[b33t13]

Really? You've obviously never seen a demonstration of a rogue AP w/ portal just for snarfing your usernames and passwords. It can be done from a Zaurus, even.

You and Starbucks are pwned.

http://airsnarf.shmoo.com

Have a nice network.

Sincerely,

Beetle
The Shmoo Group